--
The US Department of Health and Human Services has released a document offering guidance on protecting electronic health record data. The document says that electronic medical data must be rendered "unusable, unreadable or indecipherable" to those who do not have the authority to view them, and recommends encryption and destruction as acceptable methods of meeting those requirements. The document is tied to two sets of breach notification regulations required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the economic stimulus bill. One set of notification guidelines will be issued by HHS, and the second will be issued by the Federal Trade Commission for entities not covered by the Health Insurance Portability and Accountability Act (HIPAA). Organizations that comply with the guidelines set forth in the document will not be held to breach notification requirements. HHS will accept public comments on the document through May 21, 2009.
http://fcw.com/Articles/2009/04/20/HHS-releases-guidance-on-securing-electronic-health-data.aspx
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf
http://www.nextgov.com/nextgov/ng_20090420_8620.php
http://govhealthit.com/articles/2009/04/20/health-it-privacy-guidelines.aspx
[Editor's Note (Pescatore): The real key is enforcing existing regulations around personal health information vs. any real need for new regulations.
(Liston): I completely disagree with giving these companies a free pass from breach notification simply because they checked the "we encrypt"
box on some form. Doing encryption is easy... doing encryption well is hard. Also, encrypting data-at-rest and data-in-motion is wonderful, but what if a breach targets data-in-use?]
Leave a comment